Protecting Your Organization from Security Breaches

Tuesday, April 22nd, 2008
This post was written by Melanie Matthews

A recent bevy of headline news on information security breaches underscores the importance of the need for continued auditing and monitoring of electronic medical records.

An employee of NewYork-Presbyterian Hospital/Weill Cornell Medical Center in Manhattan stole information from the records of as many as 40,000 patients, according to a New York Times article on April 12th. “The theft ­which occurred over the past several years and included patients’ names, phone numbers and Social Security numbers ­was discovered during a federal investigation, and the hospital was notified in January, the spokeswoman, Myrna Manners, said. An internal audit by the hospital confirmed the theft, she said.”

An article in Business Week last week described how a Wellpoint vendor relationship was responsible for exposing personal information that may have included Social Security numbers and pharmacy or medical data for about 128,000 WellPoint Inc. customers in several states.

In other information security breach news, a Washington Post article describes how a government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses and details of the patients’ heart scans. The information was not encrypted, in violation of the government’s data-security policy. Read more on this breach online at

So how can your organization protect itself against these and other types of information security breaches?

A complimentary downloadable white paper from Absolute Software cautions not to let encryption be your only safeguard against security breaches:

“According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must use some form of encryption to protect EPHI that is stored on open networks such as laptops2. However, encryption alone does not protect health organizations from the human factor. According to a recent survey of 1,400 enterprises, more than 60% of data breaches are the work of those operating within the firewall – insiders such as employees, contractors and others with ready access to sensitive information3. Intentionally or unintentionally, insiders such as physicians and HMO brokers with wide-ranging access to both EPHI and the necessary passwords and encryption keys represent a glaring hole in security policies that rely heavily on encryption alone.”

A downloadable executive summary from Third Brigade notes that while it is impossible to remove every possible security risk to any business, it’s important to determine what level of risk you are willing to assume, and then cost-effectively implement security processes and technology that reduce the risk to an acceptable level.

“In addition to arming yourself with relevant and timely threat information, educating staff about security, and imposing security requirements with healthcare partners, there are a number of other important first steps you can take to determine how vulnerable your HCO is, and to prevent attackers from
exploiting the applications you rely on.”

And finally, a downloadable executive summary from Devon IT urges healthcare IT departments to use thin client technology to protect private patient information and achieve and enhance HIPAA-compliance.

Related Posts:

Comments are closed.